Table of Contents
1. Purpose and Background
a) Fulfillment of ESI Requests
b) Approvals for Internal to UVA ESI Requests
c) External ESI Approvals
d) All Other ESI Requests
4. Related Links
5. Further Guidance
1. Purpose and Background
Investigations and/or business continuity issues sometimes require access to electronic communications and files stored on University systems outside of access that occurs in the approved day-to-day business of the University or is publically available. Access to such electronically stored information (ESI) will only be done with proper approvals from authorizing UVA officials as listed below and in compliance with both the Privacy and Confidentiality of University Information (IRM-012) and the Data Protection of University Information (IRM-003) policies.
Requests to monitor or review electronic communications or files of employees or students will not be granted without appropriate authorization. Such authorization will require justification based on business needs, legal requirements, or sufficient cause from reasonably substantiated allegations of violation of law or policy on the part of the person’s whose ESI will be reviewed or monitored.
Specifically, when the release and/or access is to a user’s ESI, the authorizing official must be the University president or a vice president (or equivalent or designee) responsible for the affected person. When the request is non-content related, such as authentication logs or modification of user account settings, the authorizing official may be a department head or chair (or designee) or a Human Resources employee responsible for the department of affected person. In no cases may a supervisor of an employee authorize release or access to the ESI of an employee, nor accept access to an account or credentials of a user without first receiving approval from the appropriate authorizing official as noted in this document and in accordance with the Privacy and Confidentiality of University Information (IRM-012) policy.
Requests for authorization to monitor or review electronic communications usually originate with supervisors, University human resources staff or Dean of Student representatives. They may also originate with an investigatory authority such as the director of the office for Equal Opportunity and Civil Rights (looking into a sexual harassment claim, for example) or the University's Research Integrity Officer (RIO).
A vice president or designee who is asked to consider authorization for monitoring or reviewing the electronic communications or files of an employee must use his or her judgment in determining if there is sufficient reason to grant such authorization. In these situations, the vice president or designee must maintain confidentiality and is strongly urged to consult with the Office of University Counsel in determining whether to authorize monitoring or review and in determining if the affected employee or anyone else should be notified that the monitoring or review is taking place.
All authorizing officials releasing ESI must recognize the potentially sensitive nature of content that is found during the course of an investigation. Reports and findings must be kept confidential, consistent with the rules of the disciplinary bodies involved. This standard, and its associated procedures and policies, applies to anyone managing or seeking access to content from the electronic communications and files of others stored on University systems and IT resources.
Note: Requests for ESI may be subject to additional review by the Office of University Counsel prior to release.
Fulfillment of ESI Requests
ESI requests are fulfilled as follows, using the procedures outlined in Electronically Stored Information Release Procedures:
Academic Division (Agency 207) and Central IT Resource ESI Requests
The Information Security office coordinates ESI request for approvals for Agency 207. Academic Division departmental system administrators and administrative units should contact the Information Security office by emailing firstname.lastname@example.org
Medical Center (Agency 209) ESI Requests
College at Wise (Agency 246) ESI Requests
Virginia Freedom of Information Act (FOIA) ESI Requests
Requests pursuant to the Virginia Freedom of Information Act (FOIA) should be directed to University Communications.
Family Education Rights and Privacy Act (FERPA) ESI Requests
Requests for student information pursuant to the Family Education Rights and Privacy Act (FERPA) should be directed to the University Registrar.
Approvals for Internal to UVA ESI Requests
Procedures for obtaining ESI are outlined in Electronically Stored Information Release Procedures. The approvals required for ESI requests originating from within the University community are detailed in these procedures. Any ESI request may be sent to the University Information Security office at email@example.com, who will work with the appropriate authorizing official(s), and the Office of University Counsel as necessary, to coordinate the release of the ESI after the appropriate authorizing official has approved it.
External ESI Approvals
ESI requests originating from outside the University community, such as requests from Law enforcement or from government officials, will typically need to be accompanied by legal orders (such as search warrants or subpoenas). Some federal legislation requires additional processes. However, all requests must go to the Office of University Counsel for review. Any employee of the University, who receives such a request, should refer the requestor to the Office of University Counsel. Their address is:
University of Virginia
Madison Hall, Third Floor
P.O. Box 400225
Charlottesville, Virginia 22904-4225
All Other ESI Requests
If you have questions about what ESI is available and/or how to make a request not answered by the above information, please contact the University Information Security office at firstname.lastname@example.org.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Privacy and Confidentiality of University Information (IRM-012)
- Data Protection of University Information (IRM-003)
- Revoking Information Technology Resource Privileges Standard
- Revoking Information Technology Resource Privileges Procedures
- Electronic Data Removal Standards
- Electronic Data Removal Procedures
- Copyrights of Digital Materials and Software Standard
- Electronically Stored Information Release Procedures
5. Further Guidance
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.